Should encryption be explicitly proscribed in Data Security and Provacy legislation like the Massachusetts Data Prvacy Law and the White House cybersecurity initiative? If so, what strength or method? Should there be a minimum strength? What do you think?

Have you examined NIST guidelines? You may take a look here.
Data encryption rules, regulations, guidelines varies by state to state. In some states if the sensitive data is encrypted (does not matter the key length/strength) it is OK.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your response...

Discuss This Question: 7 &nbspReplies

There was an error processing your information. Please try again later.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Implement encryption that people will use and that does not require a significant amount of management overhead (key management - creation, recovery, lifecycle). It should be cost effective for the population size and user education. Any modern system with a key length of 1024bits or better should be adequate.

I have been looking into the impacts of the MA law, and they specify encryption that uses "... an algorithmic process, or alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key...", which is pretty wide open as far as actual strengths and methods to meet compliance.
Further, only data that is transmitted across public networks, wirelessly or stored on laptops needs to be encrypted, so depending on how your organization works this could be a huge deal or trivial.
Having the government specify mimimum encryption strengths seems dangerous to me, as they will probably either be unreasonably hard on the little guy or hopelessly behind the times.

Thx, SbElectric, for your reply. My question regards your opinion of whether and how encryption should be included in legislaiton like the ones I noted in my question. Not exactly asking what the standards are. I can see what the laws say, they are totally vague. I am soliciting input from a broad range of people as to their opinions on this topic.
NIST giudelines are great, by the way, which one or ones in particular would you highlight as "encryption" standards? Since tere are hundreds of standards on thet site and they don't have an "encryption" cluster.
I'll be interested to know your answer, thx

Troy Tate, thanks, are you recommending the law should explicitly require 1024-bit minimum key length? I'm interested in what we feel the law should specify rather than how anyone recommends interpreting the law. Right now the law is totally vague.
JoeMellott seems to be saying the law should not attempt to require encryption because it is not feasible to come up with a reasonable standard.
Rklanke seems to agree that specifying encryption in the law is futile since its implementation has so many dependencies and these would also have to beexplicitly specified.
SbElectric seems to be unclear but suggesting using a NIST standard. An interesting idea, so I asked, which one? there seem to be hundreds and "encryption" is not a NIST cluster topic.
WIll be waiting to hear responses.

I say yes to encryption. Awhile back my bank lost a set of backup tapes that were not encrypted. That made me change banks. If a major bank is not following some standard of security in their data that's just bad. As to how far we go in encrypting data depends. Financial, medical and others definitely. As for your locals stores mailing list probably not. I'd say if you gave any info such as SSN#, Bank account or Credit Card or even birthdate info it should be encrypted. We do not want to make identity theft any easier for the evil doers of the world. All it takes is a few pieces of personal data and it's not to hard to fill in the blanks.

Forgot to add something. Coming up with a standard would be hard because not all systems may be set up for the same level of encryption. That may be ok if you exchange data with another business and you have an agreed method in place for data exchange. How do you enforce or monitor the standardized encryption rule if they were in place. What would the penalties be for failure to comply.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

Ask a Question

Free Guide: Managing storage for virtual environments

Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!

Share this item with your network:

To follow this tag...

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy